search

slimtoolkit / slim

Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
Apache License 2.0
19.57k stars 735 forks source link

panic: runtime error: index out of range [recovered] #29

Open ghost opened 8 years ago

ghost commented 8 years ago

I had the image daly/axiom installed

daly/axiom                              latest              ed72bab16cb0        13 months ago       897.3 MB

by docker pull daly/axiom. But I could not run it on Mac because this issue, so I wanted to modify its Seccomp profiles. And when I ran ./docker-slim build daly/axiom I got the following message:

docker-slim: [build] image=daly/axiom http-probe=false remove-file-artifacts=false image-overrides=map[] entrypoint=[] (false) cmd=[] (false) workdir='' env=[] expose=map[]
INFO[0000] docker-slim: inspecting 'fat' image metadata... 
INFO[0000] docker-slim: [sha256:ed72bab16cb05ec709144040a78a9dedae9a23198f253e912e60c436aa639583] 'fat' image size => 897273078 (897 MB)

INFO[0000] docker-slim: processing 'fat' image info...  
INFO[0000] docker-slim: starting instrumented 'fat' container... 
INFO[0000] docker-slim: created container => 3e50b43c74eed72deff49e28597d1a2648a8d70f55baca40876e889fb0e83869 
panic: runtime error: index out of range [recovered]
    panic: runtime error: index out of range

goroutine 1 [running]:
github.com/codegangsta/cli.HandleAction.func1(0xc8201215d0)
    /Users/me/Desktop/CI_GITHUB/docker-slim/_vendor/src/github.com/codegangsta/cli/app.go:474 +0x417
github.com/cloudimmunity/docker-slim/master/inspectors/container.(*Inspector).RunContainer(0xc82020a180, 0x0, 0x0)
    /Users/me/Desktop/CI_GITHUB/docker-slim/_vendor/src/github.com/cloudimmunity/docker-slim/master/inspectors/container/container_inspector.go:176 +0x1771
github.com/cloudimmunity/docker-slim/master/commands.OnBuild(0x0, 0x0, 0x0, 0xc82000b8f0, 0x7fff5fbffb0c, 0xa, 0x0, 0x0, 0xc82000b800, 0x737a10, ...)
    /Users/me/Desktop/CI_GITHUB/docker-slim/_vendor/src/github.com/cloudimmunity/docker-slim/master/commands/build.go:75 +0xd48
main.init.1.func4(0xc820088640, 0x0, 0x0)
    /Users/me/Desktop/CI_GITHUB/docker-slim/apps/docker-slim/cli.go:321 +0x11d3
reflect.Value.call(0x3a9b00, 0x59e570, 0x13, 0x4cfbf0, 0x4, 0xc820121530, 0x1, 0x1, 0x0, 0x0, ...)
    /usr/local/go/src/reflect/value.go:432 +0x120a
reflect.Value.Call(0x3a9b00, 0x59e570, 0x13, 0xc820121530, 0x1, 0x1, 0x0, 0x0, 0x0)
    /usr/local/go/src/reflect/value.go:300 +0xb1
github.com/codegangsta/cli.HandleAction(0x3a9b00, 0x59e570, 0xc820088640, 0x0, 0x0)
    /Users/me/Desktop/CI_GITHUB/docker-slim/_vendor/src/github.com/codegangsta/cli/app.go:483 +0x2ee
github.com/codegangsta/cli.Command.Run(0x4d1d50, 0x5, 0x0, 0x0, 0xc820011c30, 0x1, 0x1, 0x56b140, 0x3e, 0x0, ...)
    /Users/me/Desktop/CI_GITHUB/docker-slim/_vendor/src/github.com/codegangsta/cli/command.go:186 +0x12ff
github.com/codegangsta/cli.(*App).Run(0xc820001680, 0xc82000a2a0, 0x3, 0x3, 0x0, 0x0)
    /Users/me/Desktop/CI_GITHUB/docker-slim/_vendor/src/github.com/codegangsta/cli/app.go:237 +0xa99
main.runCli()
    /Users/me/Desktop/CI_GITHUB/docker-slim/apps/docker-slim/cli.go:526 +0x4b
main.main()
    /Users/me/Desktop/CI_GITHUB/docker-slim/apps/docker-slim/main.go:5 +0x19

goroutine 17 [syscall, locked to thread]:
runtime.goexit()
    /usr/local/go/src/runtime/asm_amd64.s:1721 +0x1

goroutine 5 [syscall]:
os/signal.loop()
    /usr/local/go/src/os/signal/signal_unix.go:22 +0x18
created by os/signal.init.1
    /usr/local/go/src/os/signal/signal_unix.go:28 +0x37

goroutine 6 [select, locked to thread]:
runtime.gopark(0x59eba8, 0xc82002c728, 0x4d3ea0, 0x6, 0x3a718, 0x2)
    /usr/local/go/src/runtime/proc.go:185 +0x163
runtime.selectgoImpl(0xc82002c728, 0x0, 0x18)
    /usr/local/go/src/runtime/select.go:392 +0xa64
runtime.selectgo(0xc82002c728)
    /usr/local/go/src/runtime/select.go:212 +0x12
runtime.ensureSigM.func1()
    /usr/local/go/src/runtime/signal1_unix.go:227 +0x323
runtime.goexit()
    /usr/local/go/src/runtime/asm_amd64.s:1721 +0x1

goroutine 7 [select]:
main.initSignalHandlers.func1(0xc820018540)
    /Users/me/Desktop/CI_GITHUB/docker-slim/apps/docker-slim/signals.go:24 +0x356
created by main.initSignalHandlers
    /Users/me/Desktop/CI_GITHUB/docker-slim/apps/docker-slim/signals.go:37 +0x140

goroutine 10 [IO wait]:
net.runtime_pollWait(0xf59d20, 0x72, 0xc8200101a0)
    /usr/local/go/src/runtime/netpoll.go:157 +0x60
net.(*pollDesc).Wait(0xc82010a8b0, 0x72, 0x0, 0x0)
    /usr/local/go/src/net/fd_poll_runtime.go:73 +0x3a
net.(*pollDesc).WaitRead(0xc82010a8b0, 0x0, 0x0)
    /usr/local/go/src/net/fd_poll_runtime.go:78 +0x36
net.(*netFD).Read(0xc82010a850, 0xc820230000, 0x2000, 0x2000, 0x0, 0xf54050, 0xc8200101a0)
    /usr/local/go/src/net/fd_unix.go:232 +0x23a
net.(*conn).Read(0xc82002e078, 0xc820230000, 0x2000, 0x2000, 0x0, 0x0, 0x0)
    /usr/local/go/src/net/net.go:172 +0xe4
crypto/tls.(*block).readFromUntil(0xc820122960, 0xf59e30, 0xc82002e078, 0x5, 0x0, 0x0)
    /usr/local/go/src/crypto/tls/conn.go:455 +0xcc
crypto/tls.(*Conn).readRecord(0xc8200b82c0, 0x59ec17, 0x0, 0x0)
    /usr/local/go/src/crypto/tls/conn.go:540 +0x2d1
crypto/tls.(*Conn).Read(0xc8200b82c0, 0xc820125000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
    /usr/local/go/src/crypto/tls/conn.go:901 +0x167
net/http.noteEOFReader.Read(0xf5e3e8, 0xc8200b82c0, 0xc8200ea738, 0xc820125000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
    /usr/local/go/src/net/http/transport.go:1370 +0x67
net/http.(*noteEOFReader).Read(0xc8201c0f40, 0xc820125000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
    <autogenerated>:126 +0xd0
bufio.(*Reader).fill(0xc8201bc6c0)
    /usr/local/go/src/bufio/bufio.go:97 +0x1e9
bufio.(*Reader).Peek(0xc8201bc6c0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0)
    /usr/local/go/src/bufio/bufio.go:132 +0xcc
net/http.(*persistConn).readLoop(0xc8200ea6e0)
    /usr/local/go/src/net/http/transport.go:876 +0xf7
created by net/http.(*Transport).dialConn
    /usr/local/go/src/net/http/transport.go:685 +0xc78

goroutine 11 [select]:
net/http.(*persistConn).writeLoop(0xc8200ea6e0)
    /usr/local/go/src/net/http/transport.go:1009 +0x40c
created by net/http.(*Transport).dialConn
    /usr/local/go/src/net/http/transport.go:686 +0xc9d

goroutine 18 [runnable]:
syscall.errnoErr(0x24, 0x0, 0x0)
    /usr/local/go/src/syscall/syscall_unix.go:140 +0xac
syscall.connect(0x6, 0xc82024600c, 0x10, 0x0, 0x0)
    /usr/local/go/src/syscall/zsyscall_darwin_amd64.go:68 +0x5f
syscall.Connect(0x6, 0xf58df8, 0xc820246000, 0x0, 0x0)
    /usr/local/go/src/syscall/syscall_unix.go:222 +0x74
net.(*netFD).connect(0xc820244000, 0x0, 0x0, 0xf58df8, 0xc820246000, 0x0, 0x0, 0x0, 0x0, 0x0)
    /usr/local/go/src/net/fd_unix.go:75 +0x6a
net.(*netFD).dial(0xc820244000, 0xf58db0, 0x0, 0xf58db0, 0xc8201d3ec0, 0x0, 0x0, 0x0, 0x0, 0x0)
    /usr/local/go/src/net/sock_posix.go:137 +0x351
net.socket(0x4d4348, 0x3, 0x2, 0x1, 0x0, 0xc8201d3e00, 0xf58db0, 0x0, 0xf58db0, 0xc8201d3ec0, ...)
    /usr/local/go/src/net/sock_posix.go:89 +0x411
net.internetSocket(0x4d4348, 0x3, 0xf58db0, 0x0, 0xf58db0, 0xc8201d3ec0, 0x0, 0x0, 0x0, 0x1, ...)
    /usr/local/go/src/net/ipsock_posix.go:160 +0x141
net.dialTCP(0x4d4348, 0x3, 0x0, 0xc8201d3ec0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
    /usr/local/go/src/net/tcpsock_posix.go:171 +0x11e
net.DialTCP(0x4d4348, 0x3, 0x0, 0xc8201d3ec0, 0x0, 0x0, 0x0)
    /usr/local/go/src/net/tcpsock_posix.go:167 +0x2f2
github.com/go-mangos/mangos/transport/tcp.(*dialer).Dial(0xc8202360a0, 0x0, 0x0, 0x0, 0x0)
    /Users/me/Desktop/CI_GITHUB/docker-slim/_vendor/src/github.com/go-mangos/mangos/transport/tcp/tcp.go:82 +0x75
github.com/go-mangos/mangos.(*dialer).dialer(0xc8200e0940)
    /Users/me/Desktop/CI_GITHUB/docker-slim/_vendor/src/github.com/go-mangos/mangos/core.go:572 +0x72
created by github.com/go-mangos/mangos.(*dialer).Dial
    /Users/me/Desktop/CI_GITHUB/docker-slim/_vendor/src/github.com/go-mangos/mangos/core.go:539 +0x121

goroutine 20 [runnable]:
github.com/go-mangos/mangos.(*dialer).dialer(0xc8200e09c0)
    /Users/me/Desktop/CI_GITHUB/docker-slim/_vendor/src/github.com/go-mangos/mangos/core.go:568
created by github.com/go-mangos/mangos.(*dialer).Dial
    /Users/me/Desktop/CI_GITHUB/docker-slim/_vendor/src/github.com/go-mangos/mangos/core.go:539 +0x121

But I had other images, like nilqed/fricas_jupyter or official ubuntu image, their images were built successfully by docker-slim. I want to know why daly/axiom cannot be built.

Other info: ./docker-slim --version

docker-slim version darwin|Tetra|1.15|98b6913d1811004548e7989310c8b8c02da6bdbb|2016-06-20_05:02:53AM

docker --version

Docker version 1.11.2, build b9f10c9

And I did not install go. If there is any other information I have not supplied, please tell me. Thank you!

kcq commented 8 years ago

Thank you for the report! Can you share the command line parameters for the 'docker-slim build' command? It looks like you didn't specify any parameters for the container. Normally it's not a big deal because there's a default thanks to the CMD Docker file instruction, but daly/axiom is different and its Dockerfile doesn't have that instruction: https://github.com/daly/axiom/blob/master/Dockerfile . Next version of DockerSlim will correctly detect this condition (when images don't specify ENTRYPOINT/CMD and docker-slim build calls don't have that information either). Either way, your command should look something like this: docker-slim build --cmd axiom daly/axiom.

ghost commented 8 years ago

Thank you for your reply! I did not use any command line parameters other than --http-probe(even though it still did not work). Actually I am not sure what option should I use. I met a personality change failure 1 problem when running daly/axiom. According to this issue, most uses of personality are blocked. I am not sure how to use docker-slim build to avoid this. Could you please give me a hint?

Mic92 commented 6 years ago

The docker info api is no longer compatible. Older versions contain the ports in NetworkSettings:

{
"NetworkSettings":{"Bridge":"","SandboxID":"85e398b23c6a8edce07e30e60672513c3f754eea5ae2a2febdd1d05647a42f13","HairpinMode":false,"LinkLocalIPv6Address":"","LinkLocalIPv6PrefixLen":0,"Ports":{"65501/tcp":[{"HostIp":"0.0.0.0","HostPort":"32775"}],"65502/tcp":[{"Host
Ip":"0.0.0.0","HostPort":"32774"}],"80/tcp":[{"HostIp":"0.0.0.0","HostPort":"32776"}]}
}

Those fields are no longer present.

Mic92 commented 6 years ago

ok. The problem was actually a different one. I and @Nil-Zil built our docker-slim-sensor plugin on nixos instead of using the provided executables:

ldd ~/go/bin/docker-slim-sensor
        linux-vdso.so.1 (0x00007ffdec332000)
        libpthread.so.0 => /nix/store/z0b60y0khix9jb74ka56gw7b7n9s8awx-glibc-2.26-131/lib/libpthread.so.0 (0x00007f464556a000)
        libc.so.6 => /nix/store/z0b60y0khix9jb74ka56gw7b7n9s8awx-glibc-2.26-131/lib/libc.so.6 (0x00007f46451b8000)
        /nix/store/dps6gpjd9vmjylqgjhdbw6kyxfbfssn7-glibc-2.26-75/lib/ld-linux-x86-64.so.2 => /nix/store/z0b60y0khix9jb74ka56gw7b7n9s8awx-glibc-2.26-131/lib64/ld-linux-x86-64.so.2 (0x00007f4645788000)

binaries are therefore linked against libc in nix store, that does not exists in the container. My workaround was to add a bind mount for /nix/ in docker-slim:

diff --git a/internal/app/master/inspectors/container/container_inspector.go b/internal/app/master/inspectors/container/container_inspector.go
index 7b89f57..3aa542a 100644
--- a/internal/app/master/inspectors/container/container_inspector.go
+++ b/internal/app/master/inspectors/container/container_inspector.go
@@ -125,6 +125,7 @@ func (i *Inspector) RunContainer() error {
        volumeBinds = append(volumeBinds, artifactsMountInfo)
        volumeBinds = append(volumeBinds, sensorMountInfo)
+       volumeBinds = append(volumeBinds, "/nix:/nix:ro")
        var containerCmd []string
        if i.DoDebug {

Using the static binary would also work.

Mic92 commented 6 years ago

I would not consider this a bug in docker-slim itself.